diff --git a/internal/store/migrations/0018_user_setup_tokens.sql b/internal/store/migrations/0018_user_setup_tokens.sql
new file mode 100644
index 0000000..a308cfb
--- /dev/null
+++ b/internal/store/migrations/0018_user_setup_tokens.sql
@@ -0,0 +1,16 @@
+-- 0018_user_setup_tokens.sql
+--
+-- One outstanding setup token per user (PRIMARY KEY on user_id).
+-- Regenerating a link is INSERT OR REPLACE — old token immediately
+-- invalid. Token is stored as sha256(raw) hex, never the raw token,
+-- so a DB leak doesn't leak active links.
+
+CREATE TABLE user_setup_tokens (
+  user_id     TEXT PRIMARY KEY REFERENCES users(id) ON DELETE CASCADE,
+  token_hash  TEXT NOT NULL,
+  expires_at  TEXT NOT NULL,
+  created_at  TEXT NOT NULL,
+  created_by  TEXT REFERENCES users(id) ON DELETE SET NULL
+);
+
+CREATE INDEX user_setup_tokens_expires ON user_setup_tokens(expires_at);